cifsd: Fix a use after free on error path

The ksmbd_free_work_struct() frees "work" so we need to swap the order of these two function calls to avoid a use after free. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: N Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Signed-off-by: N Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: N Steve French <stfrench@microsoft.com>

cifsd: Fix a use after free on error path
The ksmbd_free_work_struct() frees "work" so we need to swap the order of these two function calls to avoid a use after free. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: N Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Signed-off-by: N Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: N Steve French <stfrench@microsoft.com>
a2ba2709 · Dan Carpenter · Steve French · 8ef32967 · a2ba2709
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/cifsd/oplock.c fs/cifsd/oplock.c +1 -1

未找到文件。
--- a/fs/cifsd/oplock.c
+++ b/fs/cifsd/oplock.c
@@ -638,8 +638,8 @@ static void __smb2_oplock_break_noti(struct work_struct *wk)
 	if (allocate_oplock_break_buf(work)) {
 		ksmbd_err("smb2_allocate_rsp_buf failed! ");
 		atomic_dec(&conn->r_count);
-		ksmbd_free_work_struct(work);
 		ksmbd_fd_put(work, fp);
+		ksmbd_free_work_struct(work);
 		return;
 	}